Amazon Web Services Lunch and Learn session: How Security works on AWS and how you can architect for it

1. How Security Works in AWS
&
How You Can Architect For It
Markku Lepistö
Principal Technology Evangelist
@markkulepisto

2. AWS Cloud Security
“Based on our experience, I believe that we can be
even more secure in the AWS cloud than in our
own data centers.”
-Tom Soderstrom, CTO, NASA JPL

3. Visibility
– In the AWS cloud, see your entire infrastructure at the click of a
mouse
– Can you map your current network?

5. Defense in Depth
Multi-level security
• Physical security of the data centers
• Network security
• System security
• Data security DATA

6. Gain access to a world-class security team
Where would some of the world’s top security
people like to work? At scale on huge
challenges with huge rewards
So AWS has world-class security and
compliance teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers

7. Build everything on a constantly improving security baseline
AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons

8. AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
Client-­‐side
Data
Encryp2on
Server-­‐side
Data
Encryp2on
Network
Traffic
Protec2on
Pla<orm,
Applica2ons,
Iden2ty
&
Access
Management
Opera2ng
System,
Network
&
Firewall
Configura2on
Customer
content
Customers
Let AWS do the heavy lifting for you
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

9. AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
Your
own
accredita2on
Meet your own security objectives
Your
own
cer2fica2ons
Your
own
external
audits
Customer scope
and effort is
reduced
Better results
through focused
efforts
Built on AWS
consistent
baseline controls
Customers

10. AWS
Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
You can stay onshore in any location that you need to

11. You can choose to keep all your content onshore in any
AWS region of YOUR choice
• AWS makes no secondary use of customer content
• Managing your privacy objectives any way that you want
• Keep data in your chosen format and move it, or delete it, at any
time you choose
• No automatic replication of data outside of your chosen AWS
Region
• Customers can encrypt their content any way they choose
You always have full ownership and control

12. You can
improve your security
with the AWS cloud

13. Every solution can be resilient and fault tolerant
AWS
operates
scalable,
fault
tolerant
services
Build
resilient
solu2ons
opera2ng
in
mul2ple
datacenters
AWS
helps
simplify
ac2ve-­‐ac2ve
resilient
solu2ons
All
AWS
facili2es
are
always
on
No
need
for
a
“Disaster
Recovery
Datacenter”
when
you
can
have
resilience
Every
AWS
facility
managed
to
the
same
global
standards
AWS has robust connectivity and bandwidth
Each AZ has multiple, redundant Tier 1 ISP Service Providers
Resilient network infrastructure

14. Every network has fine-grained security built-in
AvailabilityZoneA
AvailabilityZoneB
You control your VPC
address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space you define
• Create your own subnets and
control all internal and
external connectivity
AWS network security
• AWS network will prevent
spoofing and other common
layer 2 attacks
• Every compute instance gets
multiple security groups -
stateful firewalls
• Every subnet gets network
access control lists

15. You can create multi-tier architectures every time
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
host
10.0.4.0/24
EC
2
App Log
EC
2
Web
Load
balancing

16. Firewall every single compute instance
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App
“Web servers will accept Port 80
from load balancers”
“App servers will
accept Port 8080
from web
servers”
“Allow SSH
access only from
from Jump Hosts”
Log
EC
2
Web
Load
balancing

17. Enable network access control on every subnet
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App Log
EC
2
Web
“Deny all traffic between the web
server subnet and the database
server subnet”
Load
balancing

18. Control every Internet connection
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Internet Gateway
Control Internet routing
• Create Public subnets and
Private subnets
• Implement DMZ architectures
as per normal best practices
• Allocate static Elastic IP
addresses or use AWS-
managed public IP addresses
Load
balancing

19. Connect in private to your existing datacentres
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Use Internet VPNs
or use AWS Direct
Connect
Your premises
Load
balancing

20. You can route to the Internet using your gateway
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Use Internet VPNs
or use AWS Direct
Connect
Your premises
Load
balancing

21. Create flexible multi-VPC hybrid environments
Your organisation
Project Teams Marketing
Business Units Reporting
Digital /
Websites
Dev and
Test
Redshift
EMR
Analytics
Internal
Enterprise
Apps
Amazon
S3
Amazon
Glacier
Storage/
Backup

22. Every website can absorb attacks and scale out
Amazon S3
Distributed
attackers
Customers
Customers
Route53
Singapore region
CloudFront
Your VPC
WAFWAF WAFWAF
ELB ELB
ELB ELB
App App App App
Auto
Scaling
Auto
Scaling
Auto
Scaling
Auto
Scaling

23.
Encrypt
your
Elas2c
Block
Store
volumes
any
way
you
like
• AWS
na2ve
EBS
encryp2on
for
free
with
a
mouse-­‐click
• Encrypt
yourself
using
free
u2li2es,
plus
Trend,
SafeNet
and
other
partners
for
high-­‐assurance
key
management
solu2ons
Amazon
S3
offers
either
server
or
client-­‐side
encryp2on
• Manage
your
own
keys
or
let
AWS
do
it
for
you
RedshiT
has
one-­‐click
disk
encryp2on
as
standard
• Encrypt
your
data
analy2cs
• You
can
supply
your
own
keys
RDS
supports
transparent
data
encryp2on
(TDE)
• Easily
encrypt
sensi2ve
database
tables
You can encrypt your sensitive information everywhere
DBA

24. Tamper-resistant customer controlled hardware
security modules within your VPC
• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who manage and
maintain the appliance
• High availability and replication with on-premise HSMs
Reliable & Durable Key Storage
• Use for transparent data encryption on self-managed
databases and natively with AWS Redshift
• Integrate with applications using Java APIs and AWS
SDKs
• Integration with marketplace disk-encryption and SSL
You can store your encryption keys in AWS CloudHSM

25. You can use your own HSMs if you want
Your premises
Applications
Your HSM
NATCloudHSM NATCloudHSM
Volume, object,
database encryption
Signing / DRM /
apps
EC2
SYNC
EBS
S3
Amazon S3
Amazon Glacier

26. You can enforce consistent security on your hosts
Launch
instanc
e
EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configur
e
instance
You
control
the
configura2on
of
your
EC2
compute
instances
and
can
configure
and
harden
opera2ng
environments
to
your
own
specs
Use host-based protection software
• Apply best-practice top 5 mitigation strategies!
Think about how you will manage administrative users
• Restrict access as much as possible
Build out the rest of your standard security environment
• Connect to your existing services, e.g. SIEM

27. Old World – Static, Fixed Systems
DB1 DB2
App1 App2
Web1 Web2
SW1 SW2
LB1 LB2

28. “Cloud applications have
amorphous, polymorphic
attack surfaces.”
-Jason Chan
Director of Engineering,
Cloud Security
Netflix

29. What’s not there
is not a hole

30. Install Only the Packages You Use
YOUR CODE
CORE SERVICES
3rd PARTY
LIBRARIES
OPERATING
SYSTEM
Bare minimum, Just-enough-OS
Install & run only the services you use
Install only the libraries you use
Upgrade
&
Patch
ALL
Continuously
Each app tier has only its own code

31. « Cloud Instance is an
implementation of a
known, good state »
Dr Rich Wolski, UCSB

32. AMIAMIAMI
YOUR CODE
CORE SERVICES
3rd PARTY
LIBRARIES
OPERATING
SYSTEM
YOUR CODE
CORE SERVICES
3rd PARTY
LIBRARIES
OPERATING
SYSTEM
YOUR CODE
CORE SERVICES
3rd PARTY
LIBRARIES
OPERATING
SYSTEM
Pre-baked Image Base OS Image + Orchestration

33. 3rd Party Configuration Mgmt & Orchestration Tools

34. AWS
OpsWorks
AWS
CloudForma+on
AWS
Elas+c
Beanstalk
DevOps
framework
for
applica+on
lifecycle
management
and
automa+on
Templates
to
deploy
&
update
infrastructure
as
code
Automated
resource
management
–
web
apps
made
easy
DIY
/
On
Demand
DIY,
on
demand
resources:
EC2,
S3,
custom
AMI’s,
etc.
ControlConvenience
AWS Services for Application Lifecycle Management

35. Validate All Inputs
Your Code
Never Assume Input Validity
Strict Checks and Discard
API /
Interface /
Port

36. Control access and segregate duties everywhere
With
AWS
IAM
you
get
to
control
who
can
do
what
in
your
AWS
environment
and
from
where
Fine-­‐grained
control
of
your
AWS
cloud
with
two-­‐
factor
authen2ca2on
Integrated
with
your
exis2ng
corporate
directory
using
SAML
2.0
and
single
sign-­‐on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management

37. Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were
made
Who did what and when and from what IP address
• Support for many AWS services and growing - includes
EC2, EBS, VPC, RDS, IAM and RedShift
• Easily Aggregate all log information
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and SumoLogic
Get consistent visibility of logs that you can monitor

38. You get to do all of this in
DEVELOPMENT
TESTING
PRE-PRODUCTION
LIVE

39. Read AWS security whitepapers, tips and good practices
• http://blogs.aws.amazon.com/security
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, best practices, audit guides and
operational checklists to help you before you go live
• Workshop
solu2ons
with
an
AWS
solu2ons
architect,
including
me!
• Get
free
trials
of
security
from
AWS
Partners
on
the
AWS
marketplace
Sign up for AWS premium support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment
Further info and how to get AWS support

40. SHOW MEALREADY !

41. DEMOS
1. Use IAM & Multi-Factor Authentication to login to AWS
2. Create new Amazon VPC in Singapore
3. IPSEC VPN connect Tokyo office with Singapore VPC
4. Customize EC2 Instance with minimal footprint, secure config
5. Control Security Groups

42. VPN
Tunnels
Customer VPN
Gateway
Desktop
VPC - Singapore
• VPC CIDR Network: 10.100.0.0/16
• VPC Subnet 1: 10.100.0.0/23
• VPC Subnet 2: 10.100.2.0/23
• VPN Type: Dynamic BGP
Office – Tokyo
• Office Network: 10.96.24.0/21
• VPN Gateway IP: 54.92.27.101
Our First Virtual Private Cloud
Application
Server
Availability Zone BAvailability Zone A

43. Contact Your AWS Account Manager
To discuss your use cases & opportunities to
try AWS services
Follow us on at @AWSCloudSEAsia
Join the AWS User Group at
Facebook.com – search ‘AWS User Group Singapore’

44. Thank
you
Markku
Lepistö
–
Principal
Technology
Evangelist
@markkulepisto